Active Directory Users
In this page find an explanation on integrating your Active Directory Users data source to Hunters. This table holds information about domain users and their properties, including person-related information. For more information on the data schema see here or here.
This data source is used in the Hunters Pipeline mainly to correlate various entities (
AWS User ARN, etc.) to a related person entity, which gives context for security-related events and allows correlating signals from different attack surfaces.
Getting the data
In order to retrieve the data in the expected format, execute the following PowerShell on the relevant Domain Controllers:
import-module activedirectory get-aduser -filter * -Properties * | export-csv <FILE_PATH>
Also note that for a better integration, it is recommended to create a periodic cron (e.g. once a day) that executes the command above and ships the resulted files to Hunters.
Expected Format in Hunters' Side
For the Hunters' Ingestion mechanism to accept the outputted file, the following requirements need to be satisfied:
- The outputted file format should be passed as it, without modifications, to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
- The file should be passed to a dedicated prefix inside the shared bucket (e.g.
- The outputted time fields within the file (
MODIFIED, etc.) should all be in the following format:
%Y-%m-%dT%H:%M:%S. This can be achieved by using the
ToStringfunction with this format (e.g.
- The file name should start with the execution time (snapshot time), in the following format: